The Sheeple Are Burning
October 25 a hackertool was released for Firefox in the form of an add-on called Firesheep. It is extremely easy to install and use on Mac, Linux and Windows versions of Firefox. (I will not provide the link. Sorry.) It provides casual Firefox web browser users to spy on and doppelganger anyone who is connected to the Internet via a shared, open Wi-Fi connection. Simply connect your computer to the same open Wi-Fi connection and commence surveillance and identity theft.
It performs its dirty deeds by way of coopting the cookies being sent in the clear from any victim's computer. It is not a thorough form of identity theft, but it adequate while the hacker's computer remains within that open WiFi connection. IDs and passwords are typically not sent in the clear. However, the Firesheep add-on is able copy out of the air the cookies any user is sending to any website. The contents of the cookies may remain completely incomprehensible to the hacker. All that is required is the contents of that cookie to literally "BE" the intercepted victim. This means the hacker can access any active website connections and fake being that person through the use of their intercepted cookies. The hacker can do ANYTHING on those websites AS the victim. If at any point the website asks for password verification, such as when buying items from Amazon.com, the hacker is thwarted. Their identity theft stops dead at that point. However, anything else goes. This can create incredible havoc on the Internet.
At the point in time of this article being posted, well over HALF A MILLION PEOPLE have downloaded Firesheep. That essentially says it is becoming universal, endangering ALL unencrypted Wi-Fi connections to the Internet. And that was the purpose of creating and providing this add-on to the entire computer community.
The creator of this hacker tool is a Black Hat, which is to say that he bulldozes improvements in computer security by providing the means of exploiting a security hole to the world at large without any prior warning to anyone. To use a very mild metaphor, it is the equivalent of 'Tough Love' for computer users and software developers. In this case the desired effect is to lock up ALL Wi-Fi connections via encryption, ending forever open Wi-Fi connections.
There are two cures for this dilemma:
1) All websites must provide SSL encrypted connections at all times, not simply when a user logs in. This means that all websites would stop using merely HTTP connections and instead use only HTTPS connections between themselves and their users. This adds some minor overhead burdens but is entirely feasible. How long it will take the entire World Wide Web to catch up is the big question. The hope is that it will be immediate. But we're dealing with humanity here, therefore...
2) All Wi-Fi connections must require WPA account encryption. This means that all users of an 'open' Wi-Fi connection site must have and use a password in order to access the Wi-Fi hub. Surprisingly, this is an incredibly simple thing to do with nearly all modern routers. (Older routers that only use WEP encryption are SOL). Everyone making a connection to the router can use the exact same password! Routers know the MAC address of every device that connects to them. This allows them to keep each and every connection entirely separate. The fact that each connection uses the same password provides almost perfect separation of users while providing unbreakable (at this time anyway) encryption.
Here's how #2 cure would work at Starbucks: A simple sign is provided at the counter that says something to the effect of "To access Starbucks' Wi-Fi connection, please use the password 'starbucks'." That's it! Simple.
Since Firesheep was let loose for the average computer user, there have been plenty of happy stories of users speaking to the manager of shops that provide free Wi-Fi and asking them to turn on WPA account encryption. For anyone familiar with setting up Wi-Fi routers, turning on WPA is trivial. The shop managers have been happily changing their router setup and killing off the Firesheep threat. I strongly suggest that you do the same EVERYWHERE you go with your Wi-Fi device.
WEP encryption, unfortunately, was created in haste and provides NO SECURITY. It is trivial for hackers to obtain tools that can break into WEP encryption within less than a minute. It is expected, in fact, that future versions of Firesheep or similar hacker tools will include a WEP cracking tool.
The Next Best Thing To A Cure
I knew further shoes were going to drop regarding this subject. I just found out this evening that a helper tool has been provided by Zscaler that can warn you when there are Firesheep prowling around in an open Wi-Fi connection. Once again it is a Firefox add-on. Its name is Blacksheep. (Why black? Read back in the article about Black Hat hackers.)
Below is a quote from our pals at the SANS Institute from SANS NewsBites Vol. 12 Num. 89:
--Firefox Extension Warns users When Others are Using FireSheep (November 8, 2010)The Blacksheep add-on page provides instructions and a video showing it in action.
Researchers have released an extension for Firefox that detects when computers on a local area network are using FireSheep, a tool that steals unencrypted cookies from websites. Called BlackSheep, the extension alerts users by displaying a message telling them that someone is using FireSheep and providing the LAN IP address of the FireSheep user. FireSheep was created and released to draw attention to the lack of encryption for session cookies on many popular websites.
[Editor's Note (Northcutt): Interesting, dueling plug-ins. For the moment this is quite limited as you can install FireSheep and BlackSheep on the same computer only if you use different Firefox profiles. The duel would be over unencrypted LANs:
Also of interest: Microsoft, Intego and other anti-malware providers have added Firesheep to their list of detected 'malware'. This is IMHO a weak move as Firesheep is NOT malware. It is a hacker tool that requires deliberate installation by the hacker and has no user-based malware behavior whatsoever. However, parents or employers would be interested to know about the hacker behavior of their children or employees.
Do NOT consider Blacksheep to be any kind of cure! It is merely a defensive tool when you're STUCK at an unencrypted Wi-Fi spot, such as the Airport or wherever they are too clueless to turn on WPA encryption, or they don't know how, or they're stuck with worthless WEP encryption on their router. Do NOT consider Blacksheep to be thorough defense! It is not. I personally would only use it out of desperation.
The single best defenses against having your cookies stolen and your ID doppelgangered when you're STUCK in an open Wi-Fi spot are to:
1) Never log into anywhere that does not provide end-to-end HTTPS/SSL encryption. An example would be Google's GMail. You can't turn off HTTPS at the GMail site if you try! That's the way it should be everywhere.
2) Remember that eMail provides NO SECURITY apart from possibly an SSL connection to and from your eMail server. Otherwise, everything you email is in the clear for anyone to read. These days I think of some dorky, bored CIA/NEA/FBI human intercepting everything I email and reading it. I even write them little notes from time to time to set off their keyword alarms just to wake them up. Unconstitutional as it is to invade any US citizen's privacy, the Bush League set the precedence for breaking the law anyway, and sadly the Obama administration is goose stepping right along to the same deranged tune. I have further rants on such subjects at my zunipus blog.
The safest thing to do when you're STUCK at an open Wi-Fi spot is to merely browse happy, smiley, shiny websites for fun, not for work, not for financial interactions, not anywhere a hacker could steal your identity. With Firesheep they are you anywhere you go on the web.
Stay safe kids! And watch out for sheep.